* 198 Replaced CSS sanitizer with one that does token-level filtering, and replaces the old CSS lexer that used regular expressions with one that doesn't back-track, or behave quadratically on crafted inputs.

* 132 Add methods to policy builder to specify which elements are allowed to contain text and change default to disallow text in CDATA elements whose content is often not plain text. If custom element policies that change the element type fail, make sure the policy allows the output element type.

* 122 Restrict where text-nodes can validly appear in output per HTML5 rules and changed the tag balancer to do better error recovery on misplaced phrasing content.

+

−

* 114 Changed rendering to ensure that the output HTML is valid XML when the policy prohibits HTML raw text & RCDATA elements as is almost always the case.

+

| leader_name1 = Mike Samuel

−

* 104 Changed lexer to treat <?…> using the HTML5 bogus comment state grammar which agrees with XML's processing instruction production. Previously, the token ended at the first "?>" or end-of-file instead of the first ">".

* 88 Cleaned up raw-text tag handling. XMP, LISTING, PLAINTEXT now handled by substitution in the renderer and changed NOSCRIPT and friends so they are treated consistently when elided as when present in output. Added workaround for IE8 innerHTML wierdness.